Bug #1211: Heap-buffer-overflow in I2DBmpSource::parse24_32BppRow() - DCMTK - OFFIS DCMTK and DICOM Projects

Actions

Copy link

Bug #1211

closed

Heap-buffer-overflow in I2DBmpSource::parse24_32BppRow()

Added by Marco Eichelberg 5 days ago. Updated about 15 hours ago.

Status:

Closed

Priority:

Normal

Assignee:

Marco Eichelberg

Category:

Library and Apps

Target version:

Start date:

2026-05-21

Due date:

% Done:

100%

Estimated time:

1:00 h

Module:

dcmdata

Operating System:

Compiler:

Description

An invalid BMP file with 16, 24 or 32 bit per pixel that contains a color palette (which is not permitted for these images) consisting only of gray values causes a buffer overflow in I2DBmpSource::parse24_32BppRow(). The code only allocated enough memory for a monochrome image, but then writes an RGB bitmap into that buffer.

The issue can be reproduced by compiling DCMTK with -fsanitize=address,undefined and then calling

img2dcm -i BMP oob-i2dbmps-parse24bpp.bmp out.dcm

Reported 2026-05-04 by Kaixuan.

Files

oob-i2dbmps-parse24bpp.bmp (70 Bytes) oob-i2dbmps-parse24bpp.bmp

PoC file

Marco Eichelberg, 2026-05-21 14:36

Actions

Copy link

Updated by Marco Eichelberg 5 days ago

Status changed from New to Closed
% Done changed from 0 to 100
Estimated time set to 1:00 h

Closed by commit #68b57d3cf.

Actions

Copy link

Updated by Marco Eichelberg about 15 hours ago

Private changed from Yes to No

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

DCMTK

Bug #1211

Heap-buffer-overflow in I2DBmpSource::parse24_32BppRow()

Updated by Marco Eichelberg 5 days ago

Updated by Marco Eichelberg about 15 hours ago